In one of the most patient supply chain attacks in WordPress history, a popular plugin with over 70,000 active installations has been found carrying a dormant backdoor for over five years.
Security researcher Austin Ginder recently uncovered that the Quick Page/Post Redirect Plugin was tampered with as early as 2020. The exploit didn’t just break websites; it silently turned them into vehicles for “parasite SEO” and remote code execution, all while evading the official WordPress security review team.
The Mechanism: A Tale of Two Backdoors
The attack was sophisticated, utilizing a dual-layered approach to maintain control over a hosting fleet without raising alarms.
- The Active Backdoor (The “Self-Updater”): The developer bundled a custom update-checker library. Instead of polling the official WordPress.org servers for updates, this library was configured to poll a private server controlled by the developer. This allowed the attacker to push “stealth” updates that never appeared on the official repository.
- The Passive Backdoor (The Payload): This was the injected code itself. It reached out to a Command-and-Control (C2) server to fetch malicious content. To stay hidden, the code used “admin-masking”—the malicious content was only visible to search engine crawlers and regular visitors, while logged-in administrators saw a perfectly normal site.
The “Inside Man” Strategy
What makes this case particularly chilling is the attribution: the attack was orchestrated by the plugin’s original author, anadnet.
The Timeline of Deception:
- Late 2020: The author intentionally committed the custom self-updater to the official WordPress repository.
- The Propagation: Thousands of sites downloaded the “official” version, unknowingly tethering themselves to the author’s private update server.
- The Pivot: Months later, the author sent a tampered payload through their private server.
- The Erasure: The author then removed the custom updater from the official GitHub/SVN source code.
This maneuver was brilliant in its malice: it erased the “smoking gun” from the public repository while leaving tens of thousands of existing installations permanently backdoored and waiting for instructions.
Detection and Impact
Standard vulnerability scanners often missed this threat because the plugin appeared to be the “correct” version (5.2.3). However, while the version number was right, the file hashes were not.
In April 2026, the WordPress plugin review team officially pulled the Quick Page/Post Redirect Plugin from the directory. Although the C2 server is currently offline, the update mechanism remains active on thousands of sites, essentially acting as a “sleeper cell” that could be reactivated at any moment.
How to Secure Your Website
If you have this plugin installed, simply “updating” it may not be enough, as the versioning itself may be compromised.
- Verify Checksums: Use the WordPress Command Line Interface (WP-CLI) to verify your plugin files against the official repository:
wp plugin verify-checksums quick-pagepost-redirect-plugin - Audit for Mismatches: If the command returns a mismatch, your files have been tampered with.
- Immediate Action: Security experts recommend completely uninstalling the plugin. Replace it with actively maintained alternatives that adhere to official WordPress update protocols.
Conclusion: The Long Game of Cybercrime
The Quick Page/Post Redirect compromise is a stark reminder that trust in the open-source ecosystem can be weaponized. When a developer turns against their own user base, traditional security checks can fail. In 2026, the integrity of a plugin is defined not by its version number, but by its verifiable history.
